On Jun 12, 2013, at 8:15 PM, Yehuda Sadeh <yehuda@xxxxxxxxxxx> wrote: > On Wed, Jun 12, 2013 at 2:43 PM, John Nielsen <lists@xxxxxxxxxxxx> wrote: >> On Jun 12, 2013, at 2:51 PM, Yehuda Sadeh <yehuda@xxxxxxxxxxx> wrote: >> >>> On Wed, Jun 12, 2013 at 1:48 PM, John Nielsen <lists@xxxxxxxxxxxx> wrote: >>>> On Jun 12, 2013, at 2:02 PM, Yehuda Sadeh <yehuda@xxxxxxxxxxx> wrote: >>>> >>>>> On Wed, Jun 12, 2013 at 12:59 PM, John Nielsen <lists@xxxxxxxxxxxx> wrote: >>>>>> After updating to Cuttlefish I was able to set up two rados gateways using distinct pools and users. (Thanks Yehuda!) Now I'd like to make it so the user for each gateway can only access its own pools and nothing else. The reasons include security and preventing foot-shooting. >>>>>> >>>>>> Instead of simply having this: caps osd = "allow rwx" >>>>>> >>>>>> I tried: >>>>>> >>>>>> caps osd = "allow class-read, allow pool .intent-log rwx, allow pool .log rwx, allow pool .rgw rwx, allow pool .rgw.buckets rwx, allow pool .rgw.control rwx, allow pool .rgw.gc rwx, allow pool .usage rwx, allow pool .users rwx, allow pool .users.email rwx, allow pool .users.swift rwx, allow pool .users.uid rwx" >>>>> >>>>> You'll need more than just class-read. >>>> >>>> Can you be more specific? >>> >>> Try adding class-write. >> >> >> With: >> caps osd = "allow x, allow pool .pubintent-log rwx, allow pool .publog rwx, allow pool .pubrgw rwx, allow pool .pubrgw.buckets rwx, allow pool .pubrgw.control rwx, allow pool .pubrgw.gc rwx, allow pool .pubusage rwx, allow pool .pubusers rwx, allow pool .pubusers.email rwx, allow pool .pubusers.swift rwx, allow pool .pubusers.uid rwx" >> > > Instead of adding 'class-write', you removed 'class-read'. You > probably need both. Is "x" not the same as "class-write class-read"? In any case, I see the same behavior with "class-write class-read". >> I get the same result: >> >> 2013-06-12 13:47:21.711904 7f9f53244820 0 ceph version 0.61.3 (92b1e398576d55df8e5888dd1a9545ed3fd99532), process radosgw, pid 6173 >> 2013-06-12 13:47:21.727924 7f9f53244820 20 get_obj_state: rctx=0x2b72690 obj=.pubrgw:zone_info state=0x2b763d8 s->prefetch_data=0 >> 2013-06-12 13:47:21.727945 7f9f53244820 10 cache get: name=.pubrgw+zone_info : miss >> 2013-06-12 13:47:21.731676 7f9f37fff700 2 garbage collection: start >> 2013-06-12 13:47:21.734877 7f9f37fff700 0 ERROR: garbage collection process() returned error r=-1 >> 2013-06-12 13:47:21.734888 7f9f37fff700 2 garbage collection: stop >> 2013-06-12 13:47:21.736052 7f9f53244820 -1 Couldn't init storage provider (RADOS) >> > _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |